The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to ingest and process untrusted data from implementation code and design specifications, which could potentially contain malicious instructions meant to manipulate the audit results.
Ingestion points: Processes content from several untrusted sources including source code directories (src/, app/), visual specifications (ui/03_visual_spec/), and OpenSpec files (proposal.md, spec.md).
Boundary markers: The instructions do not specify the use of delimiters or specific system-level prompts to ignore embedded instructions within the ingested files.
Capability inventory: The skill's operations are strictly limited to reading local files and writing reports (Markdown and JSON) to the 06_spec_review/ directory. No network access, subprocess execution, or dynamic code evaluation (eval/exec) capabilities were detected.
Sanitization: No mechanisms for sanitizing or validating the content of ingested files are described before processing by the agent.
[NO_CODE]: The skill consists entirely of Markdown-based instructions and reference documentation. It does not include any executable scripts (such as Python, JavaScript, or Shell scripts) or binary executables, which eliminates common attack vectors related to malicious code execution, dependency vulnerabilities, or privilege escalation.

spec-compliance-review